UK government quietly rewrote law to allow its spies to hack

Now we know the real reason why GCHQ is openly trying to recruit hackers...

The bill went into force earlier this year, amending computer misuse laws (Image: Wikimedia Commons)

The UK government "quietly" amended a law exempting intelligence agencies from prosecution for hacking computers, phones, and networks.

Privacy International said it was told "hours" prior to a hearing of its claims against GCHQ, the UK's electronic spy agency, that the UK government had rewritten the Computer Misuse Act to permit its intelligence agencies to conduct cyberattacks.

The privacy group argued the change in the law was in direct response to a claim it brought back in 2014, which challenges the reported hacking activities conducted by GCHQ as described in the Edward Snowden files, which show the agency is able to remotely control smartphones among other activities.

But on June 6 last year -- a month after the complaint was filed -- the UK government introduced the measure as part of the Serious Crime Bill. It went into effect on March 3 this year, just days after an independent UK tribunal that handles civil and criminal cases against intelligence agencies ruled that GCHQ's mass surveillance programs were unlawful.

"It appears no regulators, commissioners responsible for overseeing the intelligence agencies, the Information Commissioner's Office, industry, [non-governmental organizations] or the public were notified or consulted about the proposed legislative changes," the group wrote in a statement.

The change in law doesn't just alter the group's claim, but it "also grants UK law enforcement new leeway to potentially conduct cyber attacks within the UK." (While laws are typically debated in parliament, but the group argued the law was sneaked in "under the radar" and "without proper parliamentary debate," the group said.)

Earlier this month, GCHQ announced it would for the first time openly hire network and computer hackers, which the agency said had the aim of both "detecting and preventing attempts to attack the critical national infrastructure, or seeking to defend government systems against criminals seeking to steal information, identities or money."

Privacy International's case will continue on to the European Court of Human Rights, which is expected to take the case later this year.